Page 211 / 335 Scroll up to view Page 206 - 210
Vigor2710 Series User’s Guide
199
Pass
– Click it to have an inquiry for data transmission
between the hosts located on both sides of VPN Tunnel while
connecting.
Block
– When there is conflict occurred between the hosts on
both sides of VPN Tunnel in connecting, such function can
block data transmission of Netbios Naming Packet inside the
tunnel.
Multicast via VPN
Some programs might send multicast packets via VPN
connection.
Pass
– Click this button to let multicast packets pass through
the router.
Block
– This is default setting. Click this button to let
multicast packets be blocked by the router.
User Name
This field is applicable when you select PPTP or L2TP with or
without IPSec policy above.
Password
This field is applicable when you select PPTP or L2TP with or
without IPSec policy above.
IKE Authentication
Method
This group of fields is applicable for IPSec Tunnels and L2TP
with IPSec Policy when you specify the IP address of the
remote node. The only exception is Digital Signature (X.509)
can be set when you select IPSec tunnel either with or without
specify the IP address of the remote node.
Pre-Shared Key -
Check the box of Pre-Shared Key to invoke
this function and type in the required characters (1-63) as the
pre-shared key.
Digital Signature (X.509) –
Check the box of Digital
Signature to invoke this function and Select one predefined
Profiles set in the
VPN and
Remote Access >>IPSec Peer
Identity.
IPSec Security Method
This group of fields is a must for IPSec Tunnels and L2TP
with IPSec Policy when you specify the remote node. Check
the Medium, DES, 3DES or AES box as the security method.
Medium-Authentication Header (AH)
means data will be
authenticated, but not be encrypted. By default, this option is
invoked. You can uncheck it to disable it.
High-Encapsulating Security Payload (ESP)
means payload
(data) will be encrypted and authenticated. You may select
encryption algorithm from Data Encryption Standard (DES),
Triple DES (3DES), and AES.
Local ID -
Specify a local ID to be used for Dial-in setting in
the LAN-to-LAN Profile setup. This item is optional and can
be used only in IKE aggressive mode.
Page 212 / 335
Vigor2710 Series User’s Guide
200
4.9.6 LAN to LAN
Here you can manage LAN-to-LAN connections by maintaining a table of connection
profiles. You may set parameters including specified connection direction (dial-in or
dial-out), connection peer ID, connection type (VPN connection - including PPTP, IPSec
Tunnel, and L2TP by itself or over IPSec) and corresponding security methods, etc.
The router supports 2 VPN tunnels and provides up to
32
profiles simultaneously. The
following figure shows the summary table.
Set to Factory Default
Click to clear all indexes.
Name
Indicate the name of the LAN-to-LAN profile. The
symbol
???
represents that the profile is empty.
Status
Indicate the status of individual profiles. The symbol
V and X represent the profile to be active and
inactive, respectively.
Click each index to edit each profile and you will get the following page. Each LAN-to-LAN
profile includes 4 subgroups. If the fields gray out, it means you may leave it untouched. The
following explanations will guide you to fill all the necessary fields.
For the web page is too long, we divide the page into several sections for explanation.
Page 213 / 335
Vigor2710 Series User’s Guide
201
Profile Name
Specify a name for the profile of the LAN-to-LAN connection.
Enable this profile
Check here to activate this profile.
Netbios Naming Packet
Pass
– click it to have an inquiry for data transmission between
the hosts located on both sides of VPN Tunnel while
connecting.
Block
– When there is conflict occurred between the hosts on
both sides of VPN Tunnel in connecting, such function can
block data transmission of Netbios Naming Packet inside the
tunnel.
Multicast via VPN
Some programs might send multicast packets via VPN
connection.
Pass
– Click this button to let multicast packets pass through
the router.
Block
– This is default setting. Click this button to let multicast
packets be blocked by the router.
Call Direction
Specify the allowed call direction of this LAN-to-LAN profile.
Both
:-initiator/responder
Dial-Out
- initiator only
Dial-In-
responder only.
Page 214 / 335
Vigor2710 Series User’s Guide
202
Always On or Idle
Timeout
Always On-
Check to enable router always keep VPN
connection.
Idle Timeout:
The default value is 300 seconds. If the
connection has been idled over the value, the router will drop
the connection.
Enable PING to keep
alive
This function is to help the router to determine the status of
IPSec VPN connection, especially useful in the case of
abnormal VPN IPSec tunnel disruption. For details, please
refer to the note below. Check to enable the transmission of
PING packets to a specified IP address.
PING to the IP
Enter the IP address of the remote host that located at the
other-end of the VPN tunnel.
Enable PING to keep alive
is used to handle abnormal IPSec
VPN connection disruption. It will help to provide the state of a
VPN connection for router’s judgment of redial. Normally, if
any one of VPN peers wants to disconnect the connection, it
should follow a serial of packet exchange procedure to inform
each other. However, if the remote peer disconnect without
notice, Vigor router will by no where to know this situation. To
resolve this dilemma, by continuously sending PING packets to
the remote host, the Vigor router can know the true existence
of this VPN connection and react accordingly. This is
independent of DPD (dead peer detection).
Type of Server I am
calling
PPTP
- Build a PPTP VPN connection to the server through
the Internet. You should set the identity like User Name and
Password below for the authentication of remote server.
IPSec Tunnel
- Build an IPSec VPN connection to the server
through Internet.
L2TP with IPSec Policy -
Build a L2TP VPN connection
through the Internet. You can select to use L2TP alone or with
IPSec. Select from below:
None:
Do not apply the IPSec policy. Accordingly, the VPN
connection employed the L2TP without IPSec policy can be
viewed as one pure L2TP connection.
Nice to Have:
Apply the IPSec policy first, if it is applicable
during negotiation. Otherwise, the dial-out VPN connection
becomes one pure L2TP connection.
Must:
Specify the IPSec policy to be definitely applied on the
L2TP connection.
User Name
This field is applicable when you select, PPTP or L2TP with or
without IPSec policy above.
Password
This field is applicable when you select PPTP or L2TP with or
without IPSec policy above.
PPP Authentication
This field is applicable when you select, PPTP or L2TP with or
without IPSec policy above. PAP/CHAP is the most common
selection due to wild compatibility.
VJ compression
This field is applicable when you select PPTP or L2TP with or
without IPSec policy above. VJ Compression is used for
Page 215 / 335
Vigor2710 Series User’s Guide
203
TCP/IP protocol header compression. Normally set to
Yes
to
improve bandwidth utilization.
IKE Authentication
Method
This group of fields is applicable for IPSec Tunnels and L2TP
with IPSec Policy.
Pre-Shared Key
- Input 1-63 characters as pre-shared key.
Digital Signature (X.509)
- Select one predefined Profiles set
in the
VPN and Remote Access >>IPSec Peer Identity
.
IPSec Security Method
This group of fields is a must for IPSec Tunnels and L2TP with
IPSec Policy.
Medium AH (Authentication Header)
means data will be
authenticated, but not be encrypted. By default, this option is
active.
High (ESP-Encapsulating Security Payload)-
means payload
(data) will be encrypted and authenticated. Select from below:
DES without Authentication
-Use DES encryption algorithm
and not apply any authentication scheme.
DES with Authentication-
Use DES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.
3DES without Authentication
-Use triple DES encryption
algorithm and not apply any authentication scheme.
3DES with Authentication-
Use triple DES encryption
algorithm and apply MD5 or SHA-1 authentication algorithm.
AES without Authentication
-Use AES encryption algorithm
and not apply any authentication scheme.
AES with Authentication-
Use AES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.
Advanced
Specify mode, proposal and key life of each IKE phase,
Gateway, etc.
The window of advance setup is shown as below:
IKE phase 1 mode -
Select from
Main
mode and
Aggressive
mode. The ultimate outcome is to exchange security proposals
to create a protected secure channel.
Main
mode is more secure
than
Aggressive
mode since more exchanges are done in a
secure channel to set up the IPSec session. However, the
Aggressive
mode is faster. The default value in Vigor router is
Main mode.
IKE phase 1 proposal-
To propose the local available
authentication schemes and encryption algorithms to the VPN
peers, and get its feedback to find a match. Two combinations

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top